Co-Management – Transitioning to modern management in bite sized steps

Co-management is a brand-new feature in the latest Configuration Manager (ConfigMgr) 1710 which has been making big waves in the systems management world. (December 2017).

There are gaps between traditional and modern management which pose major roadblocks for enterprises wanting to make the transition.

Written by

Vishal Ladwa

Delivery Consultant

on

14 Dec 2017

Mind the Gap!

There are gaps between traditional and modern management which pose major roadblocks for enterprises wanting to make the transition.

So Microsoft have built a bridge to help make those first steps from traditional to modern management easier… and hopefully less painful!

What does it do?

The co-management feature essentially allows you to offload some of the ConfigMgr workloads into Intune to effectively manage (co-manage) Windows 10 1709 “Fall Creators Update” devices. It does this by using ConfigMgr and Intune at the same time and therefore on-premise domain joined and Azure Active Directory (AAD) joined at the same time.

Who is it good for?

Co-management is intriguing for organisations that fall into the following two scenarios:

ConfigMgr & Domain Joined

If you already have an existing ConfigMgr infrastructure established for systems management in your enterprise and you want to move some of the features into Intune for management.

Compliance Policies (devices must be reported as healthy e.g. BitLocker enabled, Code Integrity enabled, Secure boot enabled, antimalware enabled otherwise a Conditional Access policy will block access.) There are more advanced controls in Intune but is simpler to configure over ConfigMgr.

… therefore the co-management feature will automatically AAD join and enrol the device into Intune the next time the user signs in.

Intune & AAD Joined

If you’re already running systems management with Intune and experiencing limitations which are not addressed in the current Intune capabilities.

For example a tricky win32 application deployment scenario which includes complex command lines. To address this scenario you want to offload this to ConfigMgr.

… and Intune has the capability to deploy the ConfigMgr clients to the AAD devices.

Why would you want to move feature management to Intune?

Almost all the customers I speak to are shifting their focus to move their IT into a modern management approach. So why the drive into modern management

Agility –

Users are embracing dynamic ways of working and devices are no longer bound to the corporate network.

The business demands access to corporate resources 24/7, including Software as a Service(SaaS) applications from a variety of devices in order to remain competitive.

Feature enhancements –

New features and capabilities are being rapidly rolled out every month that you may want to leverage.

Simplify management overheads –

Less complexities of taking care of on-premise hardware in datacentres, maintaining perimeter networks, AD Group Policies and even traditional OS deployment with managing and maintaining a reference image, drivers etc.

However, due to the decades of investment for on-premise hardware and immediate reliance on existing legacy IT systems, business processes and most importantly, minimising digital disruption from rearing its ugly head. Many organisations are realising the journey is going to be slow, arduous transitional steps rather than a giant leap into modern management utopia.

Therefore it is very likely there is a requirement for a mixture of both management methods to allow a more phased, managed and simplified transition from ConfigMgr + AAD to Intune + Azure AD modern management over a long period of time.

Up until co-management, you were limited to choose ConfigMgr or Intune to manage your devices. Now with Windows 10 1709 “Fall Creators Update” and ConfigMgr 1709 you have the option use both to simultaneously manage your Windows 10 devices.

Here’s an example scenario of how co-management can work.

Management with Intune…

Compliance policies

Wi-Fi / VPN profiles

Windows Update for Business policies

At the same time manage the following features in ConfigMgr…

Application deployment

Configuration Baselines

So if you fall into one of the two scenarios above, Co-management powerful capabilities will help you start transitioning workloads in your journey to modern management.

I expect enhancements to support further workloads in 2018. For further information check out this EM+S blog

So What's required to enable co-management state?

Windows 10 1709 “Fall Creators Update” build

ConfigMgr 1710 Current Branch

Cloud Management Gateway (CMG)

ConfigMgr Proxy cloud service hosted in Azure allows an internet ConfigMgr client to be managed by on-premise ConfigMgr

Cloud Distribution Point (CDP)

Cloud service hosted in Azure that provide content for internet based ConfigMgr clients similar to an on-premise Distribution Point role